Inaccurate testimony creates problem for Shumlin administration

Mark Larson failed to tell lawmakers about privacy problem that occurred in October on new online health insurance marketplace

Nov. 25, 2013

Gov. Peter Shumlin, flanked by Mark Larson, commissioner of the Department of Vermont Health Access and Robin Lunge, director of health care reform, fields questions at an Oct. 24th news conference about the rocky launch of Vermont Health Connect, the state's new online health insurance marketplace. Monday Shumlin faced more questions about Larson's failure to tell a legislative panel about an incident in which one customer's confidential information was provided to another customer. / NANCY REMSEN/FREE PRESS

Written by

Free Press Staff Writer

The troubled rollout of Vermont Health Connect, the state’s new online insurance marketplace, was bound to become a political liability for Gov. Peter Shumlin.

The risk mushroomed over the weekend with a news report that Vermont Health Connect had experienced a breach of confidentiality involving the accidental sharing of one customer’s information with another.

More significantly, the news report about this Oct. 17 incident made clear that an administration spokesman for Vermont Health Connect had failed to mention the incident to the House Health Care Committee three weeks ago when responding to a committee member’s question about the health marketplace’s security.

Instead, Mark Larson, commissioner of the Department of Vermont Health Access, told Rep. Mary Morrissey, R-Bennington, “We have no situation in which someone’s private information has been breached.”

The governor said he learned about the breach shortly after it occurred and had received subsequent updates about fixes and a filing with federal regulators about it.

It wasn’t until Saturday when information about the breach became public that Shumlin said he found out about his commissioner’s lack of transparency before a House committee.

Monday Shumlin told reporters he wouldn’t fire Larson over his failure to disclose the confidentiality breach. "I never asked him to do anything but continue the work he is doing," he said. "We all know people make mistakes."

He defended Larson’s response saying, "He felt the question was based on the kind of external breach that makes us all very nervous.” Shumlin emphasized, "It wasn't an external breach."

Still, in a written statement, Shumlin put Larson and others on notice.

“I am tremendously disappointed in Commissioner Larson’s lapse of judgment in this matter. The legislators in Montpelier represent the Vermonters we are all elected to serve, and they have a right to have their questions answered fully. That did not happen in this case, and I have made clear to Mark and other members of my administration that it must never happen again.”

(Page 2 of 4)

The governor’s statement included an expectation that Larson would work to regain the trust that he — and the Shumlin administration — lost as a result of his omission.

In a letter dated Sunday and released Monday, Larson apologized to the chairman of the House Health Care Committee.

Larson explained that he viewed Morrissey’s question as being about external breaches by hackers or intentional misuse of private information. The incident that had occurred, he said, “was limited to an inadvertent sharing of information between two individuals rather than a broader, purposeful, or improper data breach and it did not require further action or public reporting under either CMS rules or state law.”

Here’s what was required. The directions atop the state insurance exchange security incident report form require submission of these reports to the state’s designated contact at the Centers for Medicare and Medicaid Services within an hour of discovery of a security problem.

Greg Needle, privacy officer for Vermont Health Connect, filed a state health insurance exchange security incident report at 4 p.m. Oct. 17, the same day a customer called about receiving by mail a copy of the customer’s insurance application, which the customer had filled out online. The anonymous mailing included the printed warning, “Vermont Health Connect is not a secure website.”

Needle’s report said Vermont Health Connect officials conducted an investigation and determined that two individuals apparently had the same username, which gave them both access to one customer’s detailed application account. The investigators said this linkage was an “isolated event.”

The state’s explanation apparently satisfied federal regulators.

Jack Green, the Agency of Human Services information security director, noted in an Oct. 24th email to the “after-action group” at Vermont Health Connect that he had received a call from a federal official on Oct. 23 “indicating that our privacy incident was successfully closed.”

Larson, a former legislator and chairman of the House Health Care Committee, acknowledged that he bungled his appearance before many colleagues.

(Page 3 of 4)

“It is extremely important that Vermonters and you who serve as their representatives have confidence in the information shared by public servants,” he wrote. “I take this responsibility very seriously and regret that my answers have not inspired the confidence that Vermonters should expect.”

Larson asked for the opportunity to come back to the committee “to answer any questions this incident has raised.”

He wrote, too, that he worried publicity about his failure to speak about the incident would undermine public confidence in the security of Vermont Health Connect. “The security of information within Vermont Health Connect is a top priority and I want to assure the public that appropriate procedures and policies are in place to protect the privacy of information and security of the website.”

House Speaker Shap Smith, D-Morristown, noted in a statement that he considered Larson a friend and had made him chairman of the House Health Care Committee before Larson joined the Shumlin administration.

“Incidents such as this erode the public confidence in their officials,” Smith said. “A breach such as this will undermine Commissioner Larson’s ability to be an effective representative for the administration in the Legislature.”

Larson’s assurances have lost a lot of credibility and not just from this single incident.

House Health Committee Chairman Michael Fisher, D-Lincoln, noted that when Larson testified on Nov. 5, committee members probed, trying to learn why the administration had failed to spell out in advance the problems that have plagued Vermont Health Connect from opening day. “It has been challenging to get a real picture,” Fisher said Monday.

Rep. Christopher Pearson, P-Burlington, suggested Nov. 5 that Larson and others had “sugarcoated” their assessments of the website’s readiness.

Then, when Morrissey asked her question about security, Fisher said Larson “blew it. He didn’t give us accurate information. That is a big deal.”

“I have a long working relationship with Mark,” Fisher noted. “I have never experienced this kind of omission.”

(Page 4 of 4)

The House Health Care Committee will meet with Larson, although not until January, Fisher said. “The committee needs the opportunity to express itself. The committee desires a real explanation of what security concerns there have been.”

Morrissey, the lawmaker who posed the question that triggered Larson’s blanket denial of breaches, said it would be hard to rebuild trust in future statements from Larson. She questioned how lawmakers would be able to determine if someone was speaking forthrightly to them. “That is a big nut to crack.”

A statement from David Sunderland, chairman of the Vermont Republican Party, suggests the broader political fallout from Larson’s lapse.

“Commissioner Larson had a reputation as an honest legislator and one can only assume that his decision to withhold important security information may have been influenced by the governor or his office. Whatever happened, we hope it’s not a sign that the administration and governor think it’s appropriate to withhold information from, or mislead, Vermonters.”

Darcie Johnston, long a skeptic of the administration’s statements about the new marketplace, questioned whether the administration could re-establish the lost trust.

Maybe the governor could postpone use of Vermont Health Connect for a year while state officials and their consultants worked out all the bugs, she said, offering up a proposal she has made frequently. “That is a start.”

“Since the launch, they haven’t been forthcoming and transparent,” she continued. “Vermonters trusted their insurance companies,” she said. “That is what Gov. Shumlin had to create with Vermont Health Connect and he failed.”